b'\x0c\x0c                         OFFICE OF INSPECTOR GENERAL\n\nSEMIANNUAL REPORT TO CONGRESS\n\n          O C TO B E R 1 , 2 01 3 , T H R O U G H M A R C H 3 1 , 2 01 4\n\n\n\n\n T\n         he mission of the Office of Inspector General (OIG) is to prevent and detect fraud,\n         waste, and abuse and to promote the integrity, economy, efficiency, and effective\xc2\xad\n         ness in the critical programs and operations of the U.S. Securities and Exchange\n Commission (SEC or agency). This mission is best achieved by having an effective, vigor\xc2\xad\n ous, and independent office of seasoned and talented professionals. Those individuals carry\n out the OIG\xe2\x80\x99s mission by performing these functions:\n\n \xe2\x80\xa2\t   conducting independent and objective audits, evaluations, inspections, investigations,\n      and other reviews of SEC programs and operations;\n \xe2\x80\xa2\t   preventing and detecting fraud, waste, abuse, and mismanagement in SEC programs\n      and operations;\n \xe2\x80\xa2\t   identifying vulnerabilities in SEC systems and operations and recommending\n      constructive solutions;\n \xe2\x80\xa2    offering expert assistance to improve SEC programs and operations;\n \xe2\x80\xa2\t   communicating timely and useful information that facilitates management decision\n      making and the achievement of measurable gains; and\n \xe2\x80\xa2\t   keeping the Congress and the Commission fully and currently informed of significant\n      issues and developments.\n\n\n\n\n                                                   O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   i\n\x0c\x0c                                  CONTENTS\n\n\nMESSAGE FROM THE INSPECTOR GENERAL . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\n\nMANAGEMENT AND ADMINISTRATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\nAgency Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\nOIG Staffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\n\n\nCONGRESSIONAL REQUESTS AND BRIEFINGS . . . . . . . . . . . . . . . . . . . . . . . . 4\n\n\nOIG ADVICE AND ASSISTANCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5\nOIG Outreach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5\nEmployee Suggestion Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5\nOther Advice and Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6\n\n\nCOORDINATION WITH OTHER OFFICES OF INSPECTOR GENERAL . . . . . . . . . . . . . 7\n\n\nAUDITS AND EVALUATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9\nOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9\nAudits and Evaluations Conducted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9\n   Controls Over the SEC\xe2\x80\x99s Government Purchase Card Program\n        (Report No. 517) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9\n    Federal Information Security Management Act:\n        Fiscal Year 2013 Evaluation (Report No. 522) . . . . . . . . . . . . . . . .       . . . . . 10\n    Inspector General\xe2\x80\x99s Report of the SEC\xe2\x80\x99s Fiscal Year 2013\n        Compliance with the Improper Payments Information Act . . . . . . . . .            .   .   .   .   . 11\nPending Audits and Evaluations . . . . . . . . . . . . . . . . . . . . . . . . . . . .     .   .   .   .   . 11\n    Review of the SEC\xe2\x80\x99s Practices for Sanitizing Digital Information System Media .        .   .   .   .   . 11\n    Audit of the SEC\xe2\x80\x99s Physical Security Program . . . . . . . . . . . . . . . . . . .     .   .   .   .   . 11\n    Audit of Controls Over the SEC\xe2\x80\x99s Inventory of Laptop Computers . . . . . . .           .   .   .   .   . 12\nTerminated Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .   .   .   .   .   . 12\n    Termination of Assessment of the SEC\xe2\x80\x99s Hiring Practices for\n        Senior Level Positions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12\n\n\n\n\n                                                      O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4            |   iii\n\x0c         INVESTIGATIONS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13\n         Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .   .   .   .   .   . 13\n         Status of Previously Reported Investigations . . . . . . . . . . . . . . . . . . . . . .   .   .   .   .   . 13\n             Allegations of Prohibited Personnel Practices (Report No. OIG-586) . . . . . .         .   .   .   .   . 13\n             Violations of SEC Ethics Rules (Report No. OIG-594) . . . . . . . . . . . . . .        .   .   .   .   . 14\n         Investigations Conducted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .   .   .   .   .   . 14\n             Allegations of Improper Disclosure of Nonpublic and Personally\n                  Identifiable Information by an SEC Contractor (Case No. OIG-574) . . . .          . . . . . 14\n             Violations of SEC Supplemental Ethics Rules by an SEC Staff Accountant\n                  (Case No. OIG-585) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .      . . . . . 14\n             False Statements Related to Prohibited Financial Holdings (Case No. OIG-598)           . . . . . 15\n             Departing SEC Employee\xe2\x80\x99s Attempt to Remove Nonpublic Information\n                  From the SEC (Case No. OIG-600) . . . . . . . . . . . . . . . . . . . . .         . . . . . 15\n             Unauthorized Disclosure of Nonpublic Information From\n                  Executive Session Commission Meeting (Case No. OIG-601) . . . . . . . .           . . . . . 16\n             Former SEC Employee\xe2\x80\x99s Possession of SEC Documents Containing\n                  Nonpublic Information (Case No. OIG-610) . . . . . . . . . . . . . . . .          . . . . . 16\n\n\n         REVIEW OF LEGISLATION AND REGULATIONS. . . . . . . . . . . . . . . . . . . . . . . . 17\n\n\n         MANAGEMENT DECISIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18\n         Status of Recommendations With No Management Decisions            . . . . . . . . . . . . . . . . . 18\n         Revised Management Decisions . . . . . . . . . . . . . . . .      . . . . . . . . . . . . . . . . . 18\n         Agreement With Significant Management Decisions . . . . . .       . . . . . . . . . . . . . . . . . 18\n         Instances Where the Agency Refused or Failed to Provide\n              Information to the OIG . . . . . . . . . . . . . . . . . .   . . . . . . . . . . . . . . . . . 18\n\n\n\n\niv   |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0cTABLES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19\n\nTable 1 List of Reports: Audits and Evaluations. . . . . . . . . . . . .     . . . . . . . . . . . . 19\n\nTable 2 Reports Issued With Costs Questioned or Funds Put to\n\n             Better Use (Including Disallowed Costs) . . . . . . . . . .     . . . . . . . . . . . . 19\n\nTable 3 Reports With Recommendations on Which Corrective Action\n\n             Has Not Been Completed. . . . . . . . . . . . . . . . . .       . . . . . . . . . . . . 20\n\nTable 4 Summary of Investigative Activity for the Reporting Period of\n\n             October 1, 2013 to March 31, 2014 . . . . . . . . . . . .       . . . . . . . . . . . . 21\n\nTable 5 References to Reporting Requirements of the\n\n             Inspector General Act . . . . . . . . . . . . . . . . . . . .   . . . . . . . . . . . . 22\n\n\n\nAPPENDIX A. PEER REVIEWS OF OIG OPERATIONS . . . . . . . . . . . . . . . . . . . . . 23\n\nPeer Review of the SEC OIG\xe2\x80\x99s Audit Operations . . . . . . . . . . . . . . . . . . . . . . . . 23\n\nPeer Review of the SEC OIG\xe2\x80\x99s Investigative Operations . . . . . . . . . . . . . . . . . . . . . 23\n\n\n\n\n\n                                                      O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4     |   v\n\x0c\x0c             ABBREVIATIONS\n\n\nAct           The Government Charge Card Abuse Prevention Act of 2012\nAFR           Agency Financial Report\nAgency        U.S. Securities and Exchange Commission\nCIGFO         Council of Inspectors General on Financial Oversight\nCIGIE         Council of the Inspectors General on Integrity and Efficiency\nDodd-Frank    Dodd-Frank Wall Street Reform and Consumer Protection Act\nDOJ           Department of Justice\nEEOC          U.S. Equal Employment Opportunity Commission\nFAEC          Federal Audit Executive Council\nFASB          Financial Accounting Standards Board\nFINRA         Financial Industry Regulatory Authority\nFISMA         Federal Information Security Management Act\nFTE           full-time equivalents\nFY            fiscal year\nGAGAS         Generally Accepted Government Auditing Standards\nIG            Inspector General\nIPIA          Improper Payments Information Act\nJOBS Act      Jumpstart Our Business Startups Act\nLSC           Legal Services Corporation\nMSRB          Municipal Securities Rulemaking Board\nOA            Office of Acquisitions\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nORMS          Office of Records Management Services\nOSO           Office of Support Operations\nPCAOB         Public Company Accounting Oversight Board\nPIV           Personal Identity Verification\nSEC           U.S. Securities and Exchange Commission\nSIPC          Securities Investor Protection Corporation\nSO            Senior Officer\nUSAO          United States Attorney\xe2\x80\x99s Office\n\n\n\n\n                                    O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   vii\n\x0cThe OIG leadership team\ncontinues to review and\nstrengthen the OIG\xe2\x80\x99s\ninternal processes and\nprocedures to ensure that\nwe are an effective,\nresponsive entity.\n\x0c                           MESSAGE FROM THE\n\n                          INSPECTOR GENERAL\n\n\n\n                                  I\n                                        am pleased to present this Semiannual Report to Con\xc2\xad\n                                        gress as Inspector General (IG) of the SEC. This report\n                                        describes the work of the SEC OIG from October 1, 2013,\n                                  to March 31, 2014. It also reflects our responsibility to report\n                                  independently to both the Congress and the Commission. The\n                                  audits, evaluations, and investigations that we describe illus\xc2\xad\n                                  trate the OIG\xe2\x80\x99s efforts to promote the efficiency and effective\xc2\xad\n                                  ness of the SEC and demonstrate the impact that our work has\n                                  had on the programs and operations of the agency.\n\nDuring this semiannual reporting period, I com\xc2\xad           with the Commission to ensure that the OIG has the\npleted my first full year as the SEC IG. When I           necessary resource levels to do so.\narrived in February 2013, the SEC OIG had been\noperating with several staffing deficiencies. We filled   The OIG leadership team continues to review\ntwo key senior positions during the first half of the     and strengthen the OIG\xe2\x80\x99s internal processes and\nyear and, during this half, we hired a senior leader      procedures to ensure that we are an effective,\nresponsible for overseeing the OIG\xe2\x80\x99s audits, evalua\xc2\xad      responsive entity. To that end, we have formed\ntions, and special projects. With the pillar leadership   a team of investigative analysts whose role is to\nin place, the OIG has begun to hire the auditors          receive, track, and triage all complaints we receive\nand investigators needed to fill shortages within our     and also to assist our investigators in collecting and\nvarious functions. Rebuilding the OIG staff will          analyzing data to support the OIG\xe2\x80\x99s investigations.\nenhance the OIG\xe2\x80\x99s ability to achieve its mission, and     The OIG also issued an updated audit manual with\nI will continue to work closely with the SEC to add       procedures designed to increase planning and audit\nOIG staff during the coming months. I am commit\xc2\xad          management involvement during all phases of our\nted to carrying out the OIG\xe2\x80\x99s statutory oversight of      audits. Further, the OIG plans to implement a team\nthe SEC\xe2\x80\x99s programs and operations and will work           approach to auditing, which will increase audit\n\n\n\n\n                                                           O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   1\n\x0cquality and efficiency. We continue to improve our       Additionally, the OIG implemented its SEC out\xc2\xad\nbusiness support processes as we strive for increased    reach program during this reporting period. To\nefficiencies and responsiveness. In addition, we         date, OIG managers and I have visited 10 of the 11\ndeveloped an OIG employee onboarding program             SEC regional offices and have met with the Office\nand issued an OIG training and development policy.       of the Chief Operating Officer. We plan to visit\n                                                         the remaining regional office and other headquar\xc2\xad\nDuring this reporting period, the Office of Audits       ters offices in the near future. The OIG\xe2\x80\x99s outreach\nissued two reports. On March 28, 2014, we issued         presentation is now included in the SEC\xe2\x80\x99s biweekly\na report entitled \xe2\x80\x9cControls Over the SEC\xe2\x80\x99s Gov\xc2\xad          new employee orientation sessions. These outreach\nernment Purchase Card Program.\xe2\x80\x9d That report              efforts will increase the OIG\xe2\x80\x99s visibility and further\ndetails our audit of the SEC\xe2\x80\x99s purchase card and         enhance SEC employees\xe2\x80\x99 understanding of the role\nconvenience check operations and practices under         and functions of the OIG. They will also serve to\nthe Government Charge Card Abuse Prevention              educate employees on the applicable ethics require\xc2\xad\nAct of 2012. Also, on March 31, 2014, we issued          ments and their obligations to report fraud, waste,\n\xe2\x80\x9cFederal Information Security Management Act             and abuse to the appropriate authorities.\n(FISMA): Fiscal Year 2013 Evaluation,\xe2\x80\x9d which is\nour assessment of the SEC\xe2\x80\x99s fiscal year (FY) 2013        In closing, I want to emphasize my firm com\xc2\xad\nimplementation of information security require\xc2\xad          mitment to executing the SEC OIG\xe2\x80\x99s mission of\nments under FISMA.                                       promoting the integrity, efficiency, and effectiveness\n                                                         of the programs and operations of the SEC and to\nThe SEC OIG Office of Investigations completed           reporting our findings and recommendations to\nseven investigations during this reporting period on     the Congress and the Commission. The OIG will\nvarious topics, including the disclosure, possession,    improve its efficiency and effectiveness by continu\xc2\xad\nor removal from the SEC, of nonpublic informa\xc2\xad           ing to make organizational and procedural changes\ntion; false statements about prohibited financial        and by increasing its staffing resources. We will\nholdings; and violations of SEC Supplemental             also continue to work collaboratively with SEC\nEthics Rules. Our investigations resulted in eight       management to assist the agency in addressing\nreferrals to the Department of Justice (DOJ), and        the challenges it faces in its unique and important\nthe DOJ accepted two of those referrals for possible     mission of protecting investors, maintaining fair,\nprosecution. We also issued an investigative memo\xc2\xad       orderly, and efficient markets, and facilitating\nrandum recommending specific improvements that           capital formation.\nthe agency could make in its policies and proce\xc2\xad\ndures for the SEC employee exit process.                 I appreciate the significant support that the OIG\n                                                         has received from the Congress and the Com\xc2\xad\nThe Office of Audits and the Office of Investiga\xc2\xad        mission. We look forward to continuing to work\ntions also worked with SEC management to close           closely with the SEC Chair, Commissioners, and\n27 recommendations made in OIG reports issued            employees, as well as the Congress, to increase\nduring this and previous semiannual reporting            efficiency and effectiveness in the SEC\xe2\x80\x99s programs\nperiods.                                                 and operations.\n\n\n\n\n                                                                                 Carl W. Hoecker\n                                                                                 Inspector General\n\n\n\n\n2   |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0c                            MANAGEMENT AND\n\n                             ADMINISTRATION\n\n\nAGENCY OVERVIEW                                           funds and other private funds, more than 1,000\n\n\n\nT\n         he SEC\xe2\x80\x99s mission is to protect investors,        municipal advisors, 10 registered credit rating agen\xc2\xad\n         maintain fair, orderly, and efficient markets,   cies, and 7 registered clearing agencies. And, the\n         and facilitate capital formation. The SEC        agency has nearly 100 new rulemaking responsibili\xc2\xad\nstrives to promote a market environment that is           ties under the Dodd-Frank Wall Street Reform and\nworthy of the public\xe2\x80\x99s trust and characterized by         Consumer Protection Act (Dodd-Frank) and the\ntransparency and integrity. Its core values consist of    Jumpstart Our Business Startups Act (JOBS Act).\nintegrity, accountability, effectiveness, teamwork,\nfairness, and commitment to excellence. The SEC\xe2\x80\x99s         The SEC accomplishes its mission through 5 main\ngoals are to foster and enforce compliance with the       divisions\xe2\x80\x94Corporation Finance, Enforcement,\nFederal securities laws; establish an effective regula\xc2\xad   Investment Management, Trading and Markets,\ntory environment; facilitate access to the information    and Economic and Risk Analysis\xe2\x80\x94and 21 func\xc2\xad\ninvestors need to make informed investment deci\xc2\xad          tional offices. The SEC\xe2\x80\x99s headquarters is in Wash\xc2\xad\nsions; and enhance the SEC\xe2\x80\x99s performance through          ington, DC, and there are 11 regional offices located\neffective alignment and management of human               throughout the country. As of the end of FY 2013,\nresources, information, and financial capital.            the SEC employed 4,023 fulltime equivalent (FTE)\n                                                          employees, consisting of 3,903 permanent and 120\nThe agency currently oversees over 11,000 invest\xc2\xad         temporary FTE employees.\nment advisers, almost 10,000 mutual funds,\n4,450 broker-dealers, 450 transfer agents, as well        OIG STAFFING\nas the Public Company Accounting Oversight                In January 2014, the IG appointed a Deputy IG\nBoard (PCAOB), the Financial Industry Regula\xc2\xad             for Audits, Evaluations, and Special Projects. The\ntory Authority (FINRA), the Municipal Securities          Deputy IG\xe2\x80\x99s biography is on the OIG\xe2\x80\x99s website at\nRulemaking Board (MSRB), the Securities Investor          www.sec.gov/about/offices/oig/inspector_\nProtection Corporation (SIPC), and the Financial          general_admin_bios.shtml. During this reporting\nAccounting Standards Board (FASB). The SEC also           period, the OIG also hired eight other employees\xe2\x80\x94\nhas responsibility for reviewing the disclosures and      three criminal investigators, three auditors, and two\nfinancial statements of approximately 9,000 report\xc2\xad       investigative analysts. Although the OIG is making\ning companies. The agency has new or expanded             progress towards operating at full capacity, filling\nresponsibilities over the derivatives markets, an         other vacancies remains a priority for the OIG.\nadditional 2,500 exempt reporting advisers to hedge\n\n\n                                                           O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   3\n\x0c                 CONGRESSIONAL REQUESTS\n\n                     AND BRIEFINGS\n\n\n\nT\n        he OIG continued to keep the Congress fully      whether any of the SEC\xe2\x80\x99s personnel practices have\n        and currently informed of the OIG\xe2\x80\x99s activi\xc2\xad      created a discriminatory workplace or otherwise\n        ties through briefings, reports, meetings,       systematically disadvantaged minorities from\nand correspondence. Throughout the semiannual            obtaining senior management positions. The OIG\nreporting period, OIG staff briefed Congressional        provided a preliminary response acknowledging\nstaff and discussed with them OIG work and issues        the request on March 28, 2014, and sent a simi\xc2\xad\nimpacting the SEC.                                       lar notification to the applicable Committee and\n                                                         Subcommittee Chairmen on March 31, 2014. As of\nIn addition, on March 24, 2014, several members          the end of the semiannual reporting period, the OIG\nof the U.S. House of Representatives Committee on        was continuing to review the request and plans to\nFinancial Services requested that the OIG review         address it during the next reporting period.\n\n\n\n\n4   |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0c                                OIG ADVICE AND\n\n                                  ASSISTANCE\n\n\n\nT\n         he OIG advises and assists the SEC in vari\xc2\xad     tively in identifying the most important areas for the\n         ous ways. For one, the OIG maintains an         OIG\xe2\x80\x99s work, as well as the best means of addressing\n         open line of communication with the Com\xc2\xad        the results of that work. The OIG continually strives\nmission and management officials through meet\xc2\xad           to keep apprised of changes to agency programs\nings and conversations. Also, the OIG has begun          and operations and will keep SEC management\n\xe2\x80\x9coutreach\xe2\x80\x9d efforts through visits to different SEC       informed of the OIG\xe2\x80\x99s activities and concerns raised\noffices to explain the OIG\xe2\x80\x99s function as it relates to   in the course of its work.\nthe responsibilities of SEC employees.\n                                                         The OIG also implemented its SEC outreach\nIn addition, the OIG advises and assists the agency      program during this reporting period. The goal of\non various matters through memoranda and cor\xc2\xad            this program is to increase the OIG\xe2\x80\x99s visibility and\nrespondence, as well as verbal communications.           further enhance SEC employees\xe2\x80\x99 understanding of\nFor example, during this reporting period, the           the OIG\xe2\x80\x99s role and function. The program is also\nOIG 1) relayed information to SEC management             designed to educate employees on the applicable\nfor possible action in response to its evaluation of     ethics requirements and their obligations to report\nemployee suggestions; and 2) alerted SEC manage\xc2\xad         fraud, waste, and abuse to the appropriate authori\xc2\xad\nment about unsecured sensitive files located on an       ties. During this semiannual reporting period, the\ninternal network drive.                                  IG and OIG managers visited 10 of the 11 SEC\n                                                         regional offices and met with the Office of the\nOIG OUTREACH                                             Chief Operating Officer. The OIG plans to visit the\nDuring this semiannual reporting period, the IG          remaining regional office and other headquarters\nregularly met with the SEC Chair and Commission\xc2\xad         offices in the near future. Additionally, the OIG\xe2\x80\x99s\ners and senior officers from various SEC divisions       outreach presentation is now included in the SEC\xe2\x80\x99s\nand offices to foster open communication at all lev\xc2\xad     biweekly new employee orientation sessions.\nels between the OIG and the agency. These efforts\nensure that the OIG is kept up to date on signifi\xc2\xad       EMPLOYEE SUGGESTION PROGRAM\ncant, current matters that are relevant to the OIG\xe2\x80\x99s     During this 6-month reporting period, the OIG\nwork. This regular communication also allows the         received eight suggestions and three allegations\nOIG and agency management to work coopera\xc2\xad               through the OIG SEC Employee Suggestion\n\n\n\n\n                                                          O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   5\n\x0cProgram. The OIG received responses from the             OTHER ADVICE AND ASSISTANCE\nagency for seven suggestions that we submitted to        During the ongoing evaluation of controls over the\nthe agency for its review during this and previous       SEC\xe2\x80\x99s media sanitization practices, an information\nreporting periods.                                       technology security firm, under contract with the\n                                                         OIG, found instances of unsecured sensitive and\nIn two instances, regional office employees sug\xc2\xad         nonpublic information on a network drive that\ngested that the agency could decrease the costs of       could be fully accessed by all SEC network users.\ncreating and maintaining hard-copy documents             To address the risk that such information could be\nwithin the Division of Enforcement. The employ\xc2\xad          improperly released and possibly harm the agency,\nees stated that the Division required employees to       the OIG notified SEC management of the risk posed\nmaintain correspondence or other documents in            by the unsecured, broadly accessible information on\nhard-copy (paper) format. The employees suggested        that drive. Management took immediate correc\xc2\xad\nthat instead of maintaining hard copies, documents       tive action by disabling the drive, pending further\ncould be digitally scanned and archived, eliminating     review by the Office of Information Technology\nthe need for paper copies. In response, the agency       (OIT). However, when verifying the effectiveness of\nstated that it would provide additional guidance         management\xe2\x80\x99s corrective actions, we identified, and\nabout the Division\xe2\x80\x99s record retention require\xc2\xad           brought to management\xe2\x80\x99s attention, another issue\nments, including specific guidance explaining that       pertaining to unsecured folders on the network.\nemployees are not required to maintain records in        When notified, management began to address this\nany particular media or maintain duplicate copies        additional issue. We will update the agency\xe2\x80\x99s prog\xc2\xad\nof records. The agency also indicated that it would      ress in the media sanitization report.\nprovide informational sessions to employees about\nrecords retention policies and requirements.\n\n\n\n\n6   |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0c         COORDINATION WITH OTHER\n\n        OFFICES OF INSPECTOR GENERAL\n\n\n\nD\n         uring this semiannual reporting period, the     The SEC IG also attended meetings of the Council\n         SEC OIG coordinated its activities with         of the Inspectors General on Integrity and Efficiency\n         those of other OIGs, pursuant to Section        (CIGIE) and continues to serve as the Chairman of\n4(a)(4) of the Inspector General Act of 1978, as         the CIGIE Investigations Committee. The mission of\namended.                                                 the Investigations Committee is to advise the Inspec\xc2\xad\n                                                         tor General community on issues involving criminal\nSpecifically, the OIG participated in the meetings and   investigations and criminal investigations personnel\nactivities of the Council of Inspectors General on       and to establish criminal investigative guidelines.\nFinancial Oversight (CIGFO), which was established\nby Dodd-Frank. The chairman of CIGFO is the IG           In addition, the Office of Audits continues to par\xc2\xad\nof the Department of the Treasury. Other members         ticipate in various CIGIE activities. For example, a\nof the Council, in addition to the IGs of the SEC and    representative of the Office of Audits is a member\nTreasury, are the IGs of the Board of Governors of       of a working group that is revising the \xe2\x80\x9cGuide for\nthe Federal Reserve System, the Commodity Futures        Conducting External Peer Reviews of the Audit\nTrading Commission, the Department of Hous\xc2\xad              Organizations of Federal Offices of Inspector\ning and Urban Development, the Federal Deposit           General.\xe2\x80\x9d Office of Audits staff also participated\nInsurance Corporation, the Federal Housing Finance       in activities of the CIGIE Federal Audit Executive\nAgency, the National Credit Union Administra\xc2\xad            Council (FAEC), including serving on the FAEC\xe2\x80\x99s\ntion, and also the Special Inspector General for         Audit Policies and Practices Committee and attend\xc2\xad\nthe Troubled Asset Relief Program. As required by        ing training that FAEC provided.\nDodd-Frank, CIGFO meets at least once every 3\nmonths. At the CIGFO meetings, the members share         Moreover, the Office of Audits assisted two other\ninformation about their ongoing work, with a focus       Federal agency OIGs that were \xe2\x80\x9cbenchmarking\xe2\x80\x9d\non concerns that may apply to the broader financial      certain of their agencies\xe2\x80\x99 practices to the business\nsector and ways to improve financial oversight. Fur\xc2\xad     practices of other agencies, including the SEC.\nther, the SEC OIG\xe2\x80\x99s Office of Audits participated in     Specifically, the Office of Audits gathered and\na CIGFO working group that is assessing the extent       provided information on 1) the SEC\xe2\x80\x99s practices\nto which the operations of the Financial Stability       for revising its written policies and procedures\nOversight Council are consistent with the expecta\xc2\xad       governing its internal functions to assist an OIG\ntions outlined in its transparency policy.               with reviewing its agency\xe2\x80\x99s process for internal\n\n\n\n\n                                                          O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   7\n\x0cmanagement directives; and 2) the SEC\xe2\x80\x99s methods          Lastly, the Counsel to the IG participated in the\nfor allocating and managing its investor protec\xc2\xad         activities of the Council of Counsels to the Inspec\xc2\xad\ntion resources to assist another OIG in reviewing        tors General, and the SEC Legislative and External\nits agency\xe2\x80\x99s management of consumer protection           Affairs Counsel continued to participate in the\nresources.                                               CIGIE External Affairs liaisons\xe2\x80\x99 group and hosted a\n                                                         quarterly meeting.\n\n\n\n\n8   |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0c                                     AUDITS AND\n\n                                    EVALUATIONS\n\n\nOVERVIEW                                                 AUDITS AND EVALUATIONS\n\n\nT\n        he OIG Office of Audits conducts, coordi\xc2\xad        CONDUCTED\n        nates, and supervises independent audits\n        and evaluations of the agency\xe2\x80\x99s programs         Controls Over the SEC\xe2\x80\x99s Government\nand operations at the SEC\xe2\x80\x99s headquarters and 11          Purchase Card Program (Report No. 517)\nregional offices. The Office of Audits also hires,       The SEC OIG conducted an audit of the SEC\xe2\x80\x99s pur\xc2\xad\nas needed, contractors and subject matter experts,       chase card program. Government purchase cards,\nwho provide technical expertise in specific areas, to    by their nature, are at risk for misuse, fraud, waste,\nperform work on behalf of the OIG. In addition, the      and abuse. The Government Charge Card Abuse\nOffice of Audits monitors the SEC\xe2\x80\x99s progress in          Prevention Act of 2012 (Act) requires executive\ntaking corrective actions on recommendations in          agencies that issue and use purchase cards to \xe2\x80\x9cestab\xc2\xad\nOIG audit and evaluation reports.                        lish and maintain safeguards and internal controls\xe2\x80\x9d\n                                                         over their usage. The Act further requires the IG of\nEach year, the Office of Audits prepares an annual       each executive agency to conduct, at a minimum,\naudit plan. The plan includes work that the Office       annual assessments of the agency\xe2\x80\x99s purchase card\nselects for audit or evaluation on the basis of risk     program and to perform analyses or audits, as neces\xc2\xad\nand materiality, known or perceived vulnerabilities      sary, of purchase card transactions. The Act also\nand inefficiencies, resource availability, and infor\xc2\xad    requires IGs to report to the Director of the Office\nmation received from the Congress, SEC staff, the        of Management and Budget (OMB) 120 days after\nGAO, and the public.                                     the end of each fiscal year on their agencies\xe2\x80\x99 progress\n                                                         in implementing OIG audit recommendations made\nThe Office conducts audits in compliance with            to address the findings of any analysis or audit of\nGenerally Accepted Government Auditing Standards         the agency\xe2\x80\x99s purchase card program. We issued the\n(GAGAS) issued by the Comptroller General of the         required report to the OMB on January 27, 2014,\nUnited States. OIG evaluations follow applicable         stating that we were in the process of auditing the\nCIGIE Quality Standards for Inspections and Evalu\xc2\xad       SEC\xe2\x80\x99s purchase card program.\nations and GAGAS standards. At the completion\nof an audit or evaluation, the OIG issues an inde\xc2\xad       We conducted a risk assessment of the SEC\xe2\x80\x99s pur\xc2\xad\npendent report in which it identifies deficiencies and   chase card program and determined an overall risk\nmakes recommendations to correct those deficiencies      level of \xe2\x80\x9cmoderate,\xe2\x80\x9d and we issued our final audit\nor increase efficiencies in an SEC program.              report on March 28, 2014. We found that the SEC\n\n\n                                                          O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   9\n\x0cOffice of Acquisitions (OA), which is responsible for   management agreed to implement all of the\nthe management of the SEC\xe2\x80\x99s purchase card pro\xc2\xad          report\xe2\x80\x99s recommendations. The OIG\xe2\x80\x99s report\ngram, has established internal controls that reduce     is available on its website at www.sec.gov/oig/\nthe risk of fraud, waste, and abuse in the use of       reportspubs/2014/517.pdf.\npurchase cards and convenience checks. Moreover,\nwe did not find instances of illegal or erroneous use   Also, the OIG\xe2\x80\x99s January 27, 2014, letter report to\nof purchase cards or convenience checks, although       the OMB is available on its website at www.sec.\nwe did determine that certain areas of the program      gov/oig/reportspubs/purchasecardabusepreven\xc2\xad\nneeded strengthening. Specifically, we found the        tion_012714.pdf.\nfollowing:\n                                                        Federal Information Security\n\xe2\x80\xa2\t   purchase cardholders and approving officials       Management Act: Fiscal Year 2013\n     did not complete or properly document all          Evaluation (Report No. 522)\n     required training;                                 FISMA provides a comprehensive framework\n\xe2\x80\xa2\t   controls over purchase card and convenience        to ensure the effectiveness of security controls\n     check transactions needed improvement;             over information resources that support Federal\n\xe2\x80\xa2\t   the OA did not always adjust monthly credit        operations and assets. FISMA also requires IGs to\n     limits as necessary or meet all requirements of    annually assess the effectiveness of agency informa\xc2\xad\n     the Act;                                           tion security programs and practices and report the\n\xe2\x80\xa2\t   purchase cardholders and approving officials       results to the OMB. The overall objective of the FY\n     did not timely reconcile purchases with bank       2013 FISMA evaluation was to assess the SEC\xe2\x80\x99s\n     information;                                       information systems and information security pos\xc2\xad\n\xe2\x80\xa2\t   the OA did not develop a charge card man\xc2\xad          ture. The OIG contracted the services of Network\xc2\xad\n     agement plan and other information for the         ing Institute of Technology, Inc. (collectively referred\n     agency\xe2\x80\x99s reporting to the OMB; and                 to as \xe2\x80\x9cwe\xe2\x80\x9d and \xe2\x80\x9cour\xe2\x80\x9d) to conduct the evaluation.\n\xe2\x80\xa2\t   the OA did not review bank rebates for accu\xc2\xad\n     racy or verify that they were properly recorded.   To assess the SEC\xe2\x80\x99s security controls over its infor\xc2\xad\n                                                        mation systems and information security posture,\nIn September 2012, the OA assigned a new Agency/        we reviewed the security assessment packages for\nOrganization Program Coordinator, who has taken         seven of the SEC\xe2\x80\x99s major information systems (five\nsteps to improve the SEC\xe2\x80\x99s purchase card program.       internally hosted systems and two externally hosted\nDuring our audit, the Coordinator identified and        systems). The scope of our review consisted of the\nreported to management many of the deficiencies         following 11 areas specified in the OMB\xe2\x80\x99s FY 2013\nthat we observed. However, additional management        FISMA reporting instructions:\nattention is warranted to ensure that the SEC\xe2\x80\x99s safe\xc2\xad\nguards and internal controls over purchase card and     1.\t     continuous monitoring management;\nconvenience check use are adequate and effective.       2.\t     configuration management;\n                                                        3.\t     identity and access management;\nTo improve the SEC\xe2\x80\x99s controls over its purchase         4.\t     incident response and reporting;\ncard program, we made 11 recommendations. The           5.\t     risk management;\nrecommendations address training; controls over         6.\t     security training;\ntransactions; requirements of the Act; controls over    7.\t     plan of action and milestones;\nmonthly purchase limits; reconciliations with           8.\t     remote access management;\nbank information; and reviews of rebates. SEC           9.\t     contingency planning;\n\n\n\n\n10   |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0c10. contractor systems; and                              The OIG\xe2\x80\x99s letter report is available on its website\n11. security capital planning.                           at www.sec.gov/about/offices/oig/reports/reppubs/\n                                                         other/2013_iperareport.pdf.\nThe OIG issued a final report to the agency on\nMarch 31, 2014. To strengthen the SEC\xe2\x80\x99s controls\nover information security, we reiterated that the        PENDING AUDITS AND EVALUATIONS\nOIT should take immediate action to address the\noutstanding recommendations from the OIG\xe2\x80\x99s FY            Review of the SEC\xe2\x80\x99s Practices for Sanitizing\n2011 and 2012 FISMA reports. We also made nine           Digital Information System Media\nnew recommendations for corrective action regard\xc2\xad        The SEC generates and collects commercially\ning contractor systems, multi-factor authentication,     valuable, market sensitive, proprietary, and other\nuser accounts, and configuration management. In          nonpublic information. To safeguard against unau\xc2\xad\nresponse to a draft of our report, SEC management        thorized disclosure of such information, the National\nconcurred with eight of the nine recommendations         Institute of Standards and Technology recommends\nand described corrective actions that management         that Federal agencies sanitize digital information\nplanned to take. SEC management did not concur           system media before its disposal or release outside\nwith the remaining recommendation, but nonethe\xc2\xad          the organization. Further, the SEC requires that the\nless did take actions to address the issue. A summary    agency\xe2\x80\x99s digital information system media, including\nof the OIG\xe2\x80\x99s report is available on its website at       hard drives, compact discs, and data tapes used to\nwww.sec.gov/oig/reportspubs/522.pdf.                     process and store information, be sanitized before\n                                                         disposal. Effective sanitization minimizes the risk of\nInspector General\xe2\x80\x99s Report of the                        inadvertent releases of information that are poten\xc2\xad\nSEC\xe2\x80\x99s Fiscal Year 2013 Compliance with the               tially damaging to the agency, its employees and con\xc2\xad\nImproper Payments Information Act                        tractors, and those entities that the SEC regulates.\nOn February 24, 2014, the SEC OIG reported the           To determine whether the SEC effectively sanitizes\nresults of its review of the SEC\xe2\x80\x99s compliance with the   surplus media before its disposal, the OIG hired a\nImproper Payments Information Act of 2002 (IPIA)         contractor to evaluate the agency\xe2\x80\x99s media sanitiza\xc2\xad\nfor FY 2013. To determine whether the SEC com\xc2\xad           tion practices.\nplied with IPIA, we reviewed the SEC\xe2\x80\x99s \xe2\x80\x9cImproper\nPayments Elimination and Recovery Improvement            The contractor has completed its fieldwork and is\nAct of 2012 Risk Assessment Summary Report,\xe2\x80\x9d             drafting a report. We expect to issue a final report\ndated June 16, 2013; documentation supporting            summarizing the contractor\xe2\x80\x99s findings during the\nthat report; and relevant disclosures in the SEC\xe2\x80\x99s FY    next semiannual reporting period.\n2013 Agency Financial Report (AFR), dated Decem\xc2\xad\nber 12, 2013. The result of the SEC\xe2\x80\x99s risk assessment    Audit of the SEC\xe2\x80\x99s Physical\nwas that none of the SEC\xe2\x80\x99s programs and activities       Security Program\nare susceptible to significant improper payments.        The OIG has hired a contractor to audit the SEC\nFurther, the AFR stated that the SEC had determined      Office of Support Operations\xe2\x80\x99 (OSO) controls for\nthat implementing a payment recapture program            safeguarding SEC personnel and property under its\nwould not be cost effective, but that it nonetheless     physical security program. Specifically, the audit will\nstrives to recover overpayments that it has identi\xc2\xad      examine (1) the OSO\xe2\x80\x99s compliance with governing\nfied through other sources. Given our review of the      physical security laws and regulations and the SEC\xe2\x80\x99s\ninformation described above, we determined that          policies and procedures; (2) the effectiveness of the\nthe SEC was in compliance with IPIA for FY 2013.         SEC\xe2\x80\x99s physical security policies and procedures; and\n\n\n\n\n                                                         O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   11\n\x0c(3) the adequacy of preventive internal control         The OIG is conducting this audit to evaluate the\nprocedures and practices for overseeing physical        effectiveness of the OIT\xe2\x80\x99s inventory program and\nsecurity at SEC facilities.                             its controls over laptops. The audit will focus\n                                                        on the OIT\xe2\x80\x99s policies and procedures governing\nThe contractor has completed its fieldwork and is       the inventory and accountability for laptops, the\ndrafting the audit report. We expect to issue a final   accuracy and completeness of the current inventory,\nreport summarizing the contractor\xe2\x80\x99s findings during     procedures for reporting lost or stolen laptops, and\nthe next semiannual reporting period.                   controls over information systems used to track the\n                                                        laptop inventory.\nAudit of Controls Over the SEC\xe2\x80\x99s\nInventory of Laptop Computers                           We expect to issue a final audit report during the\nEmployees and contractors of the SEC use laptop         next semiannual reporting period.\ncomputers, some of which store sensitive, nonpub\xc2\xad\nlic information, to support the agency\xe2\x80\x99s mission.\nIn Inspection Report No. 441, \xe2\x80\x9cControls Over            TERMINATED AUDIT\nLaptops,\xe2\x80\x9d March 31, 2008, the OIG found that the\nSEC\xe2\x80\x99s property management guidance did not              Termination of Assessment of the\nidentify laptops as sensitive property and that the     SEC\xe2\x80\x99s Hiring Practices for Senior Level\nOIT did not have effective accountability for           Positions\nlaptops. In addition, the OIG found that an SEC-        In 2011, the OIG initiated an audit of the SEC\xe2\x80\x99s\nwide inventory of laptops had not been performed        practices for hiring senior level officials. The audit\nsince 2003. Finally, because there was no baseline      objectives included examining whether the SEC\ninventory of laptops, the OIG was unable to trace       Office of Human Resources adheres to applicable\ncustody of laptops to specific individuals.             Federal statutes and regulations; ensures that the\n                                                        SEC carries out its hiring and promotion practices\nIn its 2008 report, the OIG made five recommenda\xc2\xad       in accordance with applicable statutes, regulations,\ntions to strengthen controls over the SEC\xe2\x80\x99s laptop      and requirements; and adequately and timely com\xc2\xad\ninventory, and SEC management concurred that            municates to responsible officials its hiring author\xc2\xad\nits accountability for laptops needed improve\xc2\xad          ity, decisions, and changes.\nment. In August 2013, the OIG Office of Inves\xc2\xad\ntigations referred information learned through an       During the course of this audit, the Office of\nongoing investigation of stolen SEC laptops to the      Human Resources revised its hiring practices. In\nOIG Office of Audits. The investigation revealed        addition, we did not test data after March 31,\nthat the OIT did not maintain accurate inventory        2012. To make the best use of our limited resources\nrecords to properly track laptops.                      and in light of the changes that the Office of\n                                                        Human Resources has made, we have terminated\n                                                        this audit. We will use the information that we\n                                                        have collected during this audit, as appropriate, in\n                                                        other ongoing and planned audits or evaluations.\n\n\n\n\n12   |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0c                                 INVESTIGATIONS\n\n\nOVERVIEW                                                  grams and operations. The Hotline allows individu\xc2\xad\n\n\n\nT\n         he OIG Office of Investigations investigates     als to report their allegations to the OIG directly\n         allegations of criminal, civil, and adminis\xc2\xad     and confidentially.\n         trative violations relating to SEC programs\nand operations by SEC employees, contractors, and\noutside entities. These investigations may result in      STATUS OF PREVIOUSLY\ncriminal prosecutions, fines, civil penalties, adminis\xc2\xad   REPORTED INVESTIGATIONS\ntrative sanctions, and personnel actions.\n                                                          Allegations of Prohibited Personnel\nThe Office of Investigations adheres to the CIGIE         Practices (Report No. OIG-586)\nQuality Standards for Investigations and applicable       As reported in our previous Semiannual Report,\nguidelines that the U.S. Attorney General issues. The     the OIG investigated allegations that certain SEC\nOffice of Investigations continues to enhance its sys\xc2\xad    senior officers had violated merit system principles\ntems and processes to meet the demands of the OIG         and committed prohibited personnel practices by\nand to provide high quality investigative work.           hiring former colleagues. The OIG did not identify\n                                                          evidence that SEC senior officers intended to pro\xc2\xad\nInvestigations require extensive collaboration with       vide an improper advantage or preference in hiring.\nseparate SEC OIG component offices, other SEC             However, the OIG found that language in some of\ndivisions and offices, and outside agencies, as well      the documents that one senior officer had prepared\nas coordination with the DOJ. It is through these         and used for hiring was similar to language in\nefforts that the Office of Investigations is able to      materials that the senior officer had received from\nthoroughly identify vulnerabilities, deficiencies, and    her former colleagues who then applied for and\nwrongdoing that could negatively impact the SEC\xe2\x80\x99s         obtained the positions.\nprograms and operations.\n                                                          In September 2013, the OIG referred the report of\nThe Office of Investigations manages the OIG              its investigation to management for consideration\nHotline, which is available 24 hours a day, 7 days        of administrative action. In response to the OIG\xe2\x80\x99s\na week, to receive and process tips and complaints        report, during this semiannual reporting period,\nabout fraud, waste, or abuse related to SEC pro\xc2\xad          management verbally counseled two senior officers\n\n\n\n\n                                                          O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   13\n\x0cabout the need to remain vigilant in their adher\xc2\xad        The OIG investigation found that employees of\nence to merit system hiring principles and personnel     the subcontractor located outside the United States\npractices, especially when hiring former colleagues.     appeared to have accessed the SEC computer system\n                                                         and its data, potentially including personally identifi\xc2\xad\nViolations of SEC Ethics Rules                           able information. On learning that the subcontractor\n(Report No. OIG-594)                                     employees appeared to have accessed the system in\nOur previous Semiannual Report also described the        September 2011, the SEC notified all SEC employ\xc2\xad\nresults of the OIG\xe2\x80\x99s investigation of an SEC Senior      ees that this access occurred and offered them 12\nOfficer\xe2\x80\x99s (SO) failure to report, on financial disclo\xc2\xad   months of credit monitoring paid for by the agency.\nsure statements, the securities holdings of the SO\xe2\x80\x99s\nspouse and to comply with the SEC\xe2\x80\x99s supplemental         The OIG investigation found that the contractor\nethics rules about employee financial transactions.      had failed to inform the SEC that the subcontractor\nThrough its investigation, the OIG found evidence        employees had access to the SEC computer system\nthat the SO had not complied with various provi\xc2\xad         and may have misled the SEC about this issue. The\nsions of those rules. The OIG also identified evidence   OIG investigation further found that the contrac\xc2\xad\nof a possible conflict of interest and found that the    tor had not provided the names of the subcontrac\xc2\xad\nSO had disclosed nonpublic information to the            tor employees to the SEC for background checks,\nSO\xe2\x80\x99s spouse.                                             as required by the contract, and also had failed to\n                                                         provide the SEC with executed nondisclosure agree\xc2\xad\nIn September 2013, after the United States Attor\xc2\xad        ments for those employees.\nney\xe2\x80\x99s Office (USAO) declined prosecution, the\nOIG reported its investigative findings to SEC           The OIG referred information from its investiga\xc2\xad\nmanagement. In response to the OIG\xe2\x80\x99s report,             tion concerning the conduct of the SEC contractor\nduring this reporting period, management decided         and its principal to the DOJ as possible violations\nto suspend the SO for 14 days, and the SO served         of civil and criminal law. In 2013, the DOJ declined\nthe suspension.                                          to open a civil or criminal matter as a result of the\n                                                         OIG\xe2\x80\x99s investigation. Accordingly, the OIG closed its\n                                                         investigation.\nINVESTIGATIONS CONDUCTED\n                                                         Violations of SEC Supplemental Ethics\nAllegations of Improper Disclosure of                    Rules by an SEC Staff Accountant\nNonpublic and Personally Identifiable                    (Case No. OIG-585)\nInformation by an SEC Contractor                         The OIG conducted an investigation into whether an\n(Case No. OIG-574)                                       SEC staff accountant held certain securities that SEC\nThe OIG investigated allegations that an SEC con\xc2\xad        employees were prohibited from owning under the\ntractor allowed employees of a subcontractor that        SEC\xe2\x80\x99s Supplemental Ethics Rules and failed to report\nwas based outside of the United States to access an      those holdings on government financial disclosure\nSEC computer system and its data, which contained        forms.\npersonal information of SEC employees, including\ntheir financial holdings. The SEC had entered into       The OIG found that the staff accountant held several\nthis contract, through which the contractor was to       securities that became prohibited in August 2010,\nprovide the SEC with a computer system to support        when the Supplemental Ethics Rules went into effect.\nthe SEC\xe2\x80\x99s ethics program, on June 30, 2009.              In addition, we learned during our investigation that\n                                                         the staff accountant had purchased additional shares\n\n\n\n\n14   |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0cof a prohibited holding and had failed to obtain          SEC\xe2\x80\x99s electronic system for preclearing and report\xc2\xad\nprior clearance of those transactions as required by      ing securities transactions\xe2\x80\x94that he was in compli\xc2\xad\nthe Supplemental Ethics Rules. We further found           ance with the SEC\xe2\x80\x99s ethics rules as of December 31,\nthat the staff accountant did not report this pro\xc2\xad        2012, when he in fact held stocks that were prohib\xc2\xad\nhibited holding on government financial disclosure        ited under the SEC\xe2\x80\x99s ethics rules. The complaint also\nforms even though the value of the holding exceeded       alleged that on two occasions in February 2013, the\nthe reporting threshold.                                  staff accountant falsely stated that he no longer held\n                                                          certain prohibited securities. As of the end of the\nThe OIG referred the matter to the USAO for pos\xc2\xad          semiannual reporting period, the criminal complaint\nsible prosecution and also reported the findings of       was pending.\nits investigation to SEC management. Thereafter, the\nstaff accountant resigned from the SEC. In February       Departing SEC Employee\xe2\x80\x99s Attempt to\n2014, the USAO declined prosecution of the matter.        Remove Nonpublic Information\n                                                          From the SEC (Case No. OIG-600)\nFalse Statements Related to Prohibited                    The OIG investigated allegations that a departing\nFinancial Holdings (Case No. OIG-598)                     SEC employee may have stolen sensitive documents.\nThe OIG investigated the accuracy of an SEC staff         Specifically, the OIG learned that the OSO Office\naccountant\xe2\x80\x99s certifications that the securities he        of Records Management Services (ORMS) had\nowned were in compliance with the SEC\xe2\x80\x99s Supple\xc2\xad           identified sensitive information in materials that\nmental Ethics Rules, including rules that prohibit        were being shipped from the SEC to the employee\xe2\x80\x99s\nSEC employees from owning securities in entities          new employer, a private firm, and that SEC manage\xc2\xad\nthat are directly regulated by the SEC. The OIG           ment was concerned about the potential release of\nalso investigated whether the staff accountant had        nonpublic information.\nsubsequently divested the prohibited holdings as he\nclaimed he had done. The OIG had discovered these         The OIG reviewed the employee\xe2\x80\x99s documents, iden\xc2\xad\nissues in the course of another investigation.            tified nonpublic information, prevented information\n                                                          from leaving the SEC, and recovered other non-\nThrough its investigation, the OIG found evidence         public information from the employee\xe2\x80\x99s residence.\nthat the staff accountant had 1) falsely certified that   The OIG determined that this investigation did not\nhis holdings were in compliance with the SEC\xe2\x80\x99s            uncover criminal violations and, therefore, did not\nregulations when he held stock in several prohib\xc2\xad         refer the matter to the DOJ for possible prosecution.\nited companies; and 2) falsely claimed that he had        Further, because the employee had left the SEC, the\ndivested certain prohibited holdings when he had          OIG determined that a referral to management for\ntransferred them to a brokerage account that he           administrative action was not warranted. However,\ncontrolled. The OIG referred the matter to the            the OIG identified certain areas that the SEC could\nUSAO, which accepted the case for prosecution.            improve in its employee exit process.\n\nThe USAO filed a criminal complaint against the           To address those issues, the OIG provided Investiga\xc2\xad\nstaff accountant, charging him with three counts of       tive Memorandum IM-14-001 to SEC management\nmaking false statements to the SEC about his own\xc2\xad         on March 10, 2014. The ORMS had issued a new\nership of prohibited securities, and the staff accoun\xc2\xad    directive (\xe2\x80\x9cOperating Procedure 7-1e\xe2\x80\x9d), which\ntant was arrested on November 19, 2013. The               included information about the types of documents\ncriminal complaint alleged that, in January 2013,         that employees could not keep or remove upon their\nthe staff accountant falsely certified\xe2\x80\x94through the        departure from the SEC and required employees to\n\n\n\n\n                                                          O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   15\n\x0ccomplete a records clearance form. However, the           had attended or had information about the closed\nOIG found that the directive did not provide for          Commission meeting. The OIG also reviewed SEC\na review of documents that a departing employee           emails, telephone and BlackBerry records, and\nplans to remove from the SEC by the departing             records showing the news reporters\xe2\x80\x99 access to the\nemployees\xe2\x80\x99 division or office. Therefore, the OIG         SEC headquarters building around the time of that\nrecommended in IM-14-001 that the agency\xe2\x80\x99s exit           closed meeting. The OIG was unable to determine\nprocedures and policies be revised to require the divi\xc2\xad   which specific individual or individuals had improp\xc2\xad\nsions or offices of departing employees to 1) review      erly disclosed information from the closed Commis\xc2\xad\nthe documents that the employees plan to remove           sion meeting. However, the OIG determined that\nfrom the SEC and 2) determine which documents             an SEC employee may have confirmed to one of\ndeparting employees are authorized to remove. The         the news reporters certain nonpublic information.\nOIG also recommended that this determination be           The OIG also learned during its investigation that\ndocumented in the SEC\xe2\x80\x99s Electronic Exit Program           certain Commission-related information was trans\xc2\xad\nprior to the employees\xe2\x80\x99 departure and that manage\xc2\xad        mitted using personal, nonsecure email. The OIG\nment advise employees, through training, correspon\xc2\xad       provided the results of its investigation to the agency\ndence, and other means, about the revised exit pro\xc2\xad       for appropriate action.\ncedures and their obligation to ensure that nonpublic\ninformation is not improperly disclosed.                  Former SEC Employee\xe2\x80\x99s Possession of\n                                                          SEC Documents Containing Nonpublic\nManagement\xe2\x80\x99s action on the OIG\xe2\x80\x99s recommenda\xc2\xad              Information (Case No. OIG-610)\ntions was pending at the end of the semiannual            The OIG investigated allegations that a former SEC\nreporting period. The OIG\xe2\x80\x99s memorandum is avail\xc2\xad          employee, who was a candidate for a position with\nable on its website at www.sec.gov/about/offices/oig/     an SEC regional office, possessed documents con\xc2\xad\nreports/investigations/2014/im-14-001(employee_           taining SEC nonpublic information that the former\nexit_process-records_review).pdf.                         employee had obtained through his prior employ\xc2\xad\n                                                          ment with the SEC.\nUnauthorized Disclosure of Nonpublic\nInformation From Executive Session                        During the course of its investigation, the OIG\nCommission Meeting (Case No. OIG-601)                     interviewed the former employee, who admitted\nThe OIG opened an investigation into concerns             possessing copies of SEC examination reports that\nabout the unauthorized disclosure of nonpub\xc2\xad              he had worked on while employed with the SEC.\nlic information from an Executive Session of a            The former employee agreed to cooperate with the\n\xe2\x80\x9cclosed\xe2\x80\x9d (nonpublic) Commission meeting. Specifi\xc2\xad         investigation, and the OIG subsequently recovered\ncally, the OIG was notified that information about        from that former employee the documents contain\xc2\xad\nthe Commission\xe2\x80\x99s deliberations and voting during          ing nonpublic information. The OIG determined\nthe closed Commission meeting had been disclosed,         that one of the documents that the former employee\nwithout authorization, to a news reporter. Subse\xc2\xad         had copied and taken with him when he left the\nquently, nonpublic information was included in a          SEC was marked \xe2\x80\x9cPrivileged & Confidential.\xe2\x80\x9d\nnews article by several reporters that was published\nbefore information about the closed Commission            The OIG referred the matter to the USAO for pos\xc2\xad\nmeeting was made public.                                  sible prosecution and the USAO declined prosecu\xc2\xad\n                                                          tion. The OIG provided a report of its findings to\nDuring its investigation, the OIG interviewed             SEC management for informational purposes and\nnumerous staff members and Commissioners who              closed its investigation.\n\n\n\n\n16   |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0c      REVIEW OF LEGISLATION\n\n        AND REGULATIONS\n\n\n\nD\n        uring this semiannual reporting period, the OIG reviewed and monitored\n        the following legislation and regulations:\n\n\n\nP.L. 113-6\nConsolidated and Further Continuing Appropriations Act, 2013, Section 3003\n(enacted March 26, 2013), and P.L. 113-76, Section 742, Consolidated Appropria\xc2\xad\ntions Act, 2014 (enacted January 18, 2014) (requiring Federal agencies to report\nconference costs and other conference data to Inspectors General);\n\n5 C.F.R. Part 2641\nPost-Employment Conflict of Interest Restrictions, Appendix A - Positions Waived\nFrom 18 U.S.C. \xc2\xa7\xc2\xa7 207(c) and (f) (79 FR 1, January 2, 2014) (revoking certain\nexemptions of senior employee positions at the SEC from certain criminal post-\nemployment restrictions); and\n\n17 C.F.R. Part 200\nOrganization; Conduct and Ethics; and Information and Requests (79 FR 1734,\nJanuary 10, 2014) (amending SEC rules to reflect that the SEC\xe2\x80\x99s General Counsel\nis responsible for investigating allegations of professional misconduct by Commis\xc2\xad\nsion staff and, where appropriate, making referrals to state professional boards or\nsocieties).\n\n\n\n\n                                             O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   17\n\x0c                    MANAGEMENT DECISIONS\n\n\n\n     STATUS OF RECOMMENDATIONS WITH NO MANAGEMENT DECISIONS\n\n     Management decisions have been made on all audit reports issued before the beginning\n     of this reporting period.\n\n\n\n     REVISED MANAGEMENT DECISIONS\n\n     No management decisions were revised during the period.\n\n\n\n     AGREEMENT WITH SIGNIFICANT MANAGEMENT DECISIONS\n\n     The OIG agrees with all significant management decisions regarding audit\n     recommendations.\n\n\n\n     INSTANCES WHERE THE AGENCY REFUSED OR FAILED TO PROVIDE INFORMATION TO THE OIG\n\n     During this reporting period, there were no instances where the agency unreasonably\n     refused or failed to provide information to the OIG.\n\n\n\n\n18    |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0c                                            TABLES\nTable 1. List of Reports: Audits and Evaluations\n\n     Report Number                                  Title                                           Date Issued\n\n          517         Controls Over the SEC\xe2\x80\x99s Government Purchase Card Program                       3/28/2014\n\n          522         Federal Information Security Management Act:\n                      Fiscal Year 2013 Evaluation                                                    3/31/2014\n\n        1-27-14       Inspector General\xe2\x80\x99s Report to OMB on the SEC\xe2\x80\x99s Implementation of\n      Letter report   Purchase Card Program Audit Recommendations                                    1/27/2014\n\n        2-24-14       Inspector General\xe2\x80\x99s Report of the SEC\xe2\x80\x99s Fiscal Year 2013\n      Letter report   Compliance with the Improper Payments Information Act                          2/24/2014\n\n\n\n\nTable 2. Reports Issued with Costs Questioned or Funds Put to Better Use\n(Including Disallowed Costs)\n\n                                                                            No. of Reports               Value\n\nA. Reports issued prior to this period\n\n      For which no management decision had been made on\n      any issue at the commencement of the reporting period                          0                     $0\n\n      For which some decisions had been made on some issues at the\n      commencement of the reporting period                                           0                     $0\n\nB.    Reports issued during this period                                              0                     $0\n\n                                           Total of Categories A and B               0                     $0\n\nC.    For which final management decisions were made during this period              0                     $0\n\nD.    For which no management decisions were made during this period                 0                     $0\n\nE.    For which management decisions were made on some issues\n      during this period                                                             0                     $0\n\n                                           Total of Categories C, D, and E           0                     $0\n\n\n\n\n                                                            O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   19\n\x0cTable 3. Reports With Recommendations on Which Corrective Action Has Not Been Completed\nDuring this semiannual reporting period, SEC management provided the OIG with documentation to\nsupport the implementation of OIG recommendations. In response, the OIG closed 27 recommendations\nrelated to 12 Office of Audits and Office of Investigations reports. The following table lists recommenda\xc2\xad\ntions open 180 days or more.\n\nReport Number and Title       Rec. No.   Issue Date              Recommendation Summary\n\n489 - 2010 Annual FISMA          5        3/3/2011    Complete the logical access integration of the\nExecutive Summary                                     Homeland Security Presidential Directive 12 card no\nReport                                                later than December 2011, as reported to the OMB\n                                                      on December 31, 2010.\n\n501 - 2011 Annual FISMA          1       2/2/2012     Develop and implement a detailed plan to review\nExecutive Summary                                     and update the OIT\xe2\x80\x99s security policies and pro\xc2\xad\nReport                                                cedures and to create OIT security policies and\n                                                      procedures for areas that lack formal policy and\n                                                      procedures.\n\n501 - 2011 Annual FISMA          13      2/2/2012     Complete the implementation of the technical solu\xc2\xad\nExecutive Summary                                     tion for linking multi-factor authentication to Per\xc2\xad\nReport                                                sonal Identity Verification (PIV) cards for system\n                                                      authentication and require use of the PIV cards as a\n                                                      second authentication factor by December 2012.\n\n512 - 2012 FISMA                 1       3/29/2013    Revise the information technology security assess\xc2\xad\nExecutive Summary                                     ment procedures to ensure they are consistent with\nReport                                                current practices and include language to imple\xc2\xad\n                                                      ment continuous monitoring and requirements for\n                                                      ongoing assessment of a subset of critical security\n                                                      controls.\n\n514 - Audit of the SEC\xe2\x80\x99s         4       3/29/2013    Complete a review of nondormant registrant\nFiling Fees Program                                   accounts according to the cost benefit analysis that\n                                                      the Office of Financial Management devised.\n\n518 \xe2\x80\x93 Use of the                 4       6/6/2013     Consider options for allowing the Division of Risk,\nCurrent Guidance on                                   Strategy, and Financial Innovation (now the Divi\xc2\xad\nEconomic Analysis in                                  sion of Economic and Risk Analysis) to include\nSEC Rulemakings                                       confidential information in the SEC\xe2\x80\x99s rules without\n                                                      releasing it to the public. The Office of the General\n                                                      Counsel and the Division should prepare a memo\xc2\xad\n                                                      randum that documents a process, which they have\n                                                      vetted, to describe any potential new approaches\n                                                      to handling such information.\n\n\n\n\n20   |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0cTable 4. Summary of Investigative Activity for the Reporting Period of\nOctober 1, 2013 to March 31, 2014\n\n   Investigative Caseload                                                                              Number\n\n   Cases Open at Beginning of Period                                                                       17\n   Cases Opened During Period                                                                             10\n   Cases Closed During Period                                                                              4\n   Total Open Cases at End of Period                                                                      23\n\n\n\n   Criminal and Civil Investigative Activities                                                         Number\n\n   Referrals for Prosecution                                                                                8\n     Accepted                                                                                               2\n     Declined                                                                                               7*\n   Indictments/Informations                                                                                 1\n   Arrests                                                                                                  1\n\n\n\n   Administrative Investigative Activities                                                             Number\n\n   Suspensions                                                                                              1\n   Reprimands/Warnings/Other Actions                                                                        2\n\n\n\n   Complaints Received                                                                                 Number\n   Hotline Complaints                                                                                    211\n   Other Complaints                                                                                      485\n   Total Complaints During Period                                                                        696\n*One declined matter was referred for prosecution in a previous reporting period.\n\n\n\n\n                                                              O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   21\n\x0cTable 5. References to Reporting Requirements of the Inspector General Act\n\n     Section      Inspector General Act Reporting Requirement                                      Pages\n\n     4(a)(2)      Review of Legislation and Regulations                                                 17\n\n     5(a)(1)      Significant Problems, Abuses, and Deficiencies                            6, 9\xe2\x80\x9311, 14\xe2\x80\x9316\n\n     5(a)(2)      Recommendations for Corrective Action                                        9\xe2\x80\x9311, 15\xe2\x80\x9316\n\n     5(a)(3)      Prior Recommendations Not Yet Implemented                                             20\n\n     5(a)(4)      Matters Referred to Prosecutive Authorities                                    14\xe2\x80\x9316, 21\n\n     5(a)(5)      Summary of Instances Where the Agency\n                  Unreasonably Refused or Failed to Provide Information to the OIG                      18\n\n     5(a)(6)      List of OIG Audit and Evaluation Reports Issued During the Period                     19\n\n     5(a)(7)      Summary of Significant Reports Issued During the Period                      9\xe2\x80\x9311, 14\xe2\x80\x9316\n\n     5(a)(8)      Statistical Table on Management Decisions with Respect to Questioned Costs            19\n\n     5(a)(9)      Statistical Table on Management Decisions on\n                  Recommendations That Funds Be Put to Better Use                                       19\n\n     5(a)(10)     Summary of Each Audit, Inspection, or Evaluation Report Issued Before the Beginning\n                  of the Reporting Period for Which No Management Decision Has Been Made                18\n\n     5(a)(11)     Significant Revised Management Decisions                                              18\n\n     5(a)(12)     Significant Management Decisions With Which the Inspector General Disagreed           18\n\n     5(a)(14)(B) Date of the Last Peer Review Conducted by Another OIG                                  23\n\n\n\n\n22    |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0c                                                APPENDIX A\n\n\n     PEER REVIEWS OF OIG OPERATIONS\n\nPEER REVIEW OF THE SEC OIG\xe2\x80\x99S                             PEER REVIEW OF THE SEC OIG\xe2\x80\x99S\nAUDIT OPERATIONS                                         INVESTIGATIVE OPERATIONS\nIn accordance with the CIGIE quality control and         During the semiannual reporting period, the SEC\nassurance standards, an OIG\xe2\x80\x99s audit functions are        OIG did not have an external peer review of its\nassessed by an external OIG audit team approxi\xc2\xad          investigative operations. The most recent peer\nmately every three years. The Legal Services Corpo\xc2\xad      review of the SEC OIG\xe2\x80\x99s investigative operations\nration (LSC) OIG conducted an assessment of the          was conducted by the OIG of the U.S. Equal\nOffice of Audit\xe2\x80\x99s system of quality control for the      Employment Opportunity Commission (EEOC).\nperiod ending March 31, 2012. The review focused         The EEOC OIG issued its report on the SEC OIG\xe2\x80\x99s\non whether the SEC OIG established and complied          investigative operations in July 2007. That report\nwith a system of quality control that is suitably        concluded that the SEC OIG\xe2\x80\x99s system of quality\ndesigned to provide the SEC OIG with a reasonable        for the investigative function conformed to the\nassurance of conforming with applicable profes\xc2\xad          professional standards established by the Presi\xc2\xad\nsional standards.                                        dent\xe2\x80\x99s Council on Integrity and Efficiency and the\n                                                         Executive Council on Integrity and Efficiency (now\nOn August 23, 2012, the LSC OIG issued its report,       CIGIE).\nconcluding that the SEC OIG complied with the\nsystem of quality control and that it was suitably       A peer review of the investigative operations of the\ndesigned to provide the SEC OIG with reasonable          SEC OIG is planned for FY 2014.\nassurance of performing and reporting in conformity\nwith applicable government auditing standards in\nall material respects. Federal audit organizations can\nreceive a rating of \xe2\x80\x9cpass,\xe2\x80\x9d \xe2\x80\x9cpass with deficiencies,\xe2\x80\x9d\nor \xe2\x80\x9cfail.\xe2\x80\x9d The SEC OIG received a \xe2\x80\x9cpass\xe2\x80\x9d rating,\nand no recommendations were made. Further, there\nare no outstanding recommendations from previous\npeer reviews of our audit organization.\n\nThe peer review report is available on the SEC\nOIG\xe2\x80\x99s website at www.sec.gov/about/offices/oig/\nreports/reppubs/other/finalpeerreviewreport-sec.pdf.\n\n\n\n\n                                                         O C TO B E R 1 , 2 01 3 \xe2\x80\x93 M A R C H 3 1 , 2 01 4   |   23\n\x0c              OIG CONTACT INFORMATION\n\n\n          Help ensure the integrity of SEC operations. Report to the OIG suspected fraud, waste,\n          or abuse in SEC programs or operations as well as SEC staff or contractor misconduct.\n          Contact the OIG by:\n\n          PHONE\t           Hotline          877.442.0854\n                           Main Office      202.551.6061\n\n          WEB-BASED        www.sec.gov/about/offices/oig/inspector_general_investigations_hotline.shtml\n          HOTLINE\n\n\n          FAX\t             202.772.9265\n\n          MAIL\t            Office of Inspector General\n                           U.S. Securities and Exchange Commission\n                           100 F Street, NE, Washington, DC 20549\xe2\x80\x932977\n\n          EMAIL\t           oig@sec.gov\n\n\n\n          Information received is held in confidence upon request. While the OIG encourages com\xc2\xad\n          plainants to provide information on how they may be contacted for additional information,\n          anonymous complaints are also accepted.\n\n\n\n\n24   |   O I G S E M I A N N UA L R E P O RT TO CO N G R E SS\n\x0c\x0c\x0c'